From owner-freebsd-stable Sun Jan 27 13:24:43 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 868D337B400 for ; Sun, 27 Jan 2002 13:24:37 -0800 (PST) Received: (qmail 20160 invoked by uid 0); 27 Jan 2002 21:24:36 -0000 Received: from p3ee21659.dip.t-dialin.net (HELO mail.gsinet.sittig.org) (62.226.22.89) by mail.gmx.net (mp003-rz3) with SMTP; 27 Jan 2002 21:24:36 -0000 Received: (qmail 15480 invoked from network); 27 Jan 2002 21:09:29 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 27 Jan 2002 21:09:29 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g0RL9Nk15467 for stable@freebsd.org; Sun, 27 Jan 2002 22:09:23 +0100 (CET) (envelope-from sittig) Date: Sun, 27 Jan 2002 22:09:23 +0100 From: Gerhard Sittig To: stable@freebsd.org Subject: Re: Firewall config non-intuitiveness Message-ID: <20020127220923.B1494@shell.gsinet.sittig.org> Mail-Followup-To: stable@freebsd.org References: <200201271757.g0RHvTF12944@midway.uchicago.edu> <20020127.110854.32932954.imp@village.org> <200201271853.g0RIrVF03620@midway.uchicago.edu> <20020127.120138.07163985.imp@village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020127.120138.07163985.imp@village.org>; from imp@village.org on Sun, Jan 27, 2002 at 12:01:38PM -0700 Organization: System Defenestrators Inc. Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jan 27, 2002 at 12:01 -0700, M. Warner Losh wrote: > > Please write up the exact details that you want to do so that those on > security-officer know exactly what you are proposing. It is my > understanding that you want to make enable_firewall=NO totally dyke > out the firewall that was compiled into the kernel and be a totally > open realy. I know that this breaks at least one machine that I have, > but I also know that this breaks our current fail-safe behavior, which > I'm strongly opposed to. I filed a PR which does adjust the rc.conf comment (I understand that LINT resp. NOTES as well as "man 5 rc.conf" both told the originator of the thread what would happen while rc.conf was too short and not authoritative enough a source to stop him from shooting into his foot). The synopsis is "[PATCH] rc.conf comment misleading (firewall_enable)", the numeric handle is not available yet. The PR submit message actually went out together with this one -- I live on a dialup line ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message